JailbreakMe 3.0: How Does It Work?

Early this morning, hacker comex released the third major version of his browser-based jailbreak tool called JailbreakMe. The tool supports the latest firmware 4.3.3 and every available iOS device, including iPad 2 (the first to do so, in fact). Users of JailbreakMe simply point their iOS device mobile-Safari browser to jailbreakme.com and the hack is performed remotely, unlike most other tools that require a software download on your computer, such as PwnageTool and redsn0w. So how does JailbreakMe 3.0 work?

JailbreakMe was first introduced way back in 2007 for iOS 1.1.1. It initially exploited a TIFF rendering vulnerability in Safari, which was quickly patched by Apple in iOS 1.1.2. Version 2.0 used a similar exploit in Adobe PDF rendering in iOS 3 (and was even present in iOS 4 when it was first released) but was again patched by Apple come iOS 4.0.2. Version 3.0 exploits a different vulnerability in the Safari PDF rendering system. Once again, Safari loads a hacked PDF file containing hidden jailbreak code which is then injected into the root file system of your iDevice- all from a regular ol', unsecured HTTP site.

The iPad 2 was notoriously difficult to jailbreak since the A5 chip still has no known bootrom exploits to this day. The JailbreakMe hack is unique in that in order to be browser-based must work completely in userland- meaning jailbreak code must be run in user space and can't be injected directly into the kernel, as other tools that force users to enter DFU mode do. I imagine that can make things a bit more difficult for creator comex in some respects, but also makes the iPad 2 hack possible in the first place.

JailbreakMe is an “untethered” jailbreak, meaning the user does not need to have their device plugged in to their computer while rebooting in order to keep the hack. Users may notice a line of colored pixels or other graphical glitches when rebooting. That’s because once the JailbreakMe hack is installed, it overloads the device framebuffer (i.e. loads itself into video memory) on startup, injecting jailbreak code early in the startup sequence. That graphical glitch is the jailbreak code itself!

I imagine Apple engineers are already working feverishly to patch the security hole- and not just because they aren’t keen on jailbreakers. The exact PDF vulnerability, if it becomes known, could potentially be used by less magnanimous hackers to install malware onto your device. Interestingly, comex has also released a tool called PDF Patcher 2 that allows jailbreakers to patch up the exploit. Locking the door on the way in, so to speak.

Apple is serious when it comes to security, so I imagine we will see a quick fix of the PDF exploit (and thus JailbreakMe) in iOS 4.3.4. Because of this, comex advises JailbreakMe users to save 4.3.3 SHSH blobs with TinyUmbrella if you’d like to keep your device hacked when the next iOS update is released. And as always, remember to sync and backup before jailbreaking!